SAN FRANCISCO – Uber Technologies, Inc., has entered a non-prosecution agreement with federal prosecutors to resolve a criminal investigation into the coverup of a significant data breach suffered by the company in 2016, announced United States Attorney Stephanie M. Hinds and Federal Bureau of Investigation Special Agent in Charge Sean Ragan.
As part of a non-prosecution agreement to resolve the investigation, Uber admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission (“FTC”), which at the time of the 2016 breach had a pending investigation into the company’s data security practices. The FTC’s investigation continued from 2015 into 2017, and its written questions to Uber required Uber to provide information about any unauthorized access to personal information.
In the agreement’s Statement of Facts, Uber admits that its personnel failed to report the November 2016 data breach to the FTC despite a pending FTC investigation into data security at the company. According to the agreed facts, the hackers responsible for the 2016 breach used stolen credentials to access a private source code repository and obtain a private access key. The hackers then used that key to access and copy large quantities of data associated with Uber’s users and drivers, including data pertaining to approximately 57 million user records with 600,000 drivers’ license numbers. The breach was not reported to the FTC until approximately a year later, when new executive leadership was managing the company. Upon learning of the 2016 data breach, the new leadership team investigated the breach and disclosed it to affected drivers, to the public, to law enforcement, and to foreign and domestic regulators, including state attorneys general and the FTC.
The agreement filed today acknowledges several factors that support the resolution of the criminal investigation by a non-prosecution agreement. First, the agreement notes a change of executive management in late 2017 and the new leadership team’s prompt investigation of the 2016 breach and its disclosure to the public, FTC, law enforcement, and foreign and domestic regulators, and state attorneys general. Second, the agreement notes the company has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.
Third, the agreement further describes that in October 2018, after disclosing the 2016 data breach, Uber entered an agreement with the FTC under which Uber agreed to maintain a comprehensive privacy program for 20 years and to report to the FTC any incident reported to other government agencies relating to unauthorized intrusion into individuals’ consumer information. Fourth, the agreement cites Uber’s full cooperation with the government investigation of this matter, including the ongoing criminal case against Uber’s former chief security officer for his alleged attempt to cover-up the 2016 breach. However, the charges in that case are merely allegations, and the defendant in that case, as in all criminal cases, is presumed innocent until proven guilty beyond a reasonable doubt.
Finally, the agreement also notes that Uber settled civil litigation with the attorneys general for all 50 States and the District of Columbia related to the 2016 data breach, paying $148 million and agreeing to implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.
Link to non-prosecution agreement here.
The case is being prosecuted by the Corporate and Securities Fraud Section of the U.S. Attorney’s Office. The case is being investigated by the FBI. The U.S. Attorney’s Office acknowledges the assistance of the FTC.